Link to portal for reporting security vulnerabilities in Microsoft packages #8655

jcjiang · 2021-06-23T19:04:18Z

Currently, the only option for users seeking to report a security vulnerability they found in a hosted package is to submit the report under:

This is an issue because

these reports enter with the category of 'this package has malicious code,' which is a different problem
comes in as email to a list, can be lost
case does not undergo formal evaluation and severity rating
no Microsoft CVE attached
not updated on the regular security monthly release schedule

Add an option to the dropdown:

Selecting the option results in the following text:

The hyperlink leads to the following form:

This feature came from conversation with VS security and MSRC PMs.

jcjiang added Area: Security Area: Support labels Jun 23, 2021

jcjiang assigned drewgillies and jcjiang Jun 23, 2021

jcjiang mentioned this issue Jun 23, 2021

Streamline RAC form and encompass additional scenarios #8657

Closed

drewgillies added this to the Sprint 2021-07 milestone Jul 5, 2021

shishirx34 modified the milestones: Sprint 2021-07, Sprint 2021-08 Jul 30, 2021

drewgillies modified the milestones: Sprint 2021-08, Sprint 2021-09 Sep 7, 2021

drewgillies mentioned this issue Sep 28, 2021

Streamline report package page and add vulnerability text #8831

Merged

agr modified the milestones: Sprint 2021-09, Sprint 2021-10 Oct 4, 2021

drewgillies added the Verified-Dev label Oct 5, 2021

loic-sharma mentioned this issue Oct 15, 2021

[Deployment] 2021.10.15 #8850

Closed

7 tasks

drewgillies added Verified-Int Verified-Prod labels Oct 18, 2021

drewgillies closed this as completed Oct 20, 2021

Provide feedback